Cutting through the fluff around the Target PIN breach

OK, so Target is back in the news, and it’s nowhere nearly as bad this time but there’s some posturing and some fluff in the news, so I’ll take it upon myself to demystify some of it. Some of it’s PR fluff, and some of it’s highly technical, so I’ll cut through it.

I’m just glad–I guess–to be talking about this stuff outside of a job interview. Like I said, this time the news isn’t nearly as bad as it could be.

The PINs were stolen, but they were encrypted. Encryption is like the scrambling that keeps people from stealing cable TV. Data like PINs and credit card numbers are supposed to be encrypted, and just shifting one letter or number forward (A to B, B to C, etc.) doesn’t cut it. Don’t ask me why the card numbers themselves weren’t encrypted, but at least the PINs were.

The keys were not stolen, and never were in Target’s possession in the first place. The key is a long, complex code that you use to decrypt the data. Sometimes people aren’t careful about where they store their keys. Whether Target should have them in their possession but stored elsewhere is another discussion; the important thing here is that the people who stole the PINs didn’t get the key, so they have a mess of scrambled data.

So what’s this Triple DES encryption all about? Target describes Triple DES as “highly secure,” which wouldn’t have been my preferred choice of words. Triple DES is an acceptable encryption method in this case, but not something I would brag about. DES is an old encryption standard, developed by IBM in the 1970s and approved by the NSA.When DES became obsolete, the industry looked for some options, and one of them is to run the data through DES three times–hence Triple DES. This became standard practice in 1999 or so, and is still accepted practice today. Best practice today is to use AES, the standard that replaced DES. AES is stronger and faster.

Any encryption can eventually be broken by just guessing the key, but since Target was using an accepted standard and the key was stored elsewhere, decoding them will take several years, and by then the cards will all be expired and replaced.

But that point is kind of moot, since a crook can still make a fake credit card with the number on it. The crook just can’t use it as a debit card.

I’m glad the PINs were encrypted, but the more important piece wasn’t encrypted, so Target still has a problem. So do its customers.